From: Florian Westphal <fw@strlen.de>
To: "Bjørnar Ness" <bjornar.ness@gmail.com>
Cc: Michal Kubecek <mkubecek@suse.cz>,
Jan Engelhardt <jengelh@inai.de>,
netfilter-devel@vger.kernel.org
Subject: Re: routing table lookup
Date: Fri, 14 Oct 2016 13:44:21 +0200 [thread overview]
Message-ID: <20161014114421.GB10404@breakpoint.cc> (raw)
In-Reply-To: <CAJO99TnLzTbtTZP_DKE37eG_+X3T5b1g5rbhVTGz07RDgShDPw@mail.gmail.com>
Bjørnar Ness <bjornar.ness@gmail.com> wrote:
> 2016-10-12 8:19 GMT+02:00 Michal Kubecek <mkubecek@suse.cz>:
> > On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote:
> >>
> >> Yeah, sortoff. But afaik rpfilter is a iptables module, and not
> >> available in nftables yet.
> >>
> >> Pablo: is the "lookup in routing table from nftables" a total waste of time?
> >
> > You may be interested in
> >
> > https://www.youtube.com/watch?v=wfWMPlZHQBk&t=19m40s
>
> Thanks, Michal, this is interesting, but not exactly what I am looking
> for. This fib module
> would as far as I can tell follow the routing from rules -> table ->
> decision, which will need
> both a src and dst address. What I want is to skip the rule matching,
> and check directly in
> a table, that way we only need a single address, and the following
> should potentially work
> from prerouting:
>
> ip saddr rt_table 10 drop
>
> comments?
I don't really understand why you would want this.
If you only want to match saddr, why not use ipset (or nftables set) for
this?
If you want to use the fib, why not use blackhole routes?
I'd like to understand why you need this 'rule skip' thing, seems we
would have to export some fib internals for this which I'd like to
avoid.
next prev parent reply other threads:[~2016-10-14 11:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-11 18:11 routing table lookup Bjørnar Ness
2016-10-11 18:28 ` Jan Engelhardt
2016-10-11 19:10 ` Bjørnar Ness
2016-10-11 20:18 ` Jan Engelhardt
2016-10-11 22:17 ` Bjørnar Ness
2016-10-12 6:19 ` Michal Kubecek
2016-10-12 15:19 ` Bjørnar Ness
2016-10-14 11:44 ` Florian Westphal [this message]
2016-10-14 16:48 ` Bjørnar Ness
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161014114421.GB10404@breakpoint.cc \
--to=fw@strlen.de \
--cc=bjornar.ness@gmail.com \
--cc=jengelh@inai.de \
--cc=mkubecek@suse.cz \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).